2

The project I'm currently working has a whole bunch of JSON actions in order to populate cascading dropdowns via ajax calls. Since they're technically Select queries and we're trying to be RESTful, we've been marking these actions with the HttpGet attributes. However by default, JsonResultdoes not allow to return results via a GET. So we've had to explicitly call Json(data, JsonRequestBehavior.AllowGet).

What I'm wondering is, is this bad practice? Should we only be allowing Post requests to our Json actions? If it makes a difference, this is an enterprise application, that requires a log in to a particular environment before it can be accessed.

Vadim
  • 17,897
  • 4
  • 38
  • 62

2 Answers2

2

In my practice I'm using the next rule to decide which of HTTP methods is appropriate for a situation: if you only retrieve a data then use GET and if you're changing state of something then use POST.

From www.w3.org:

Use GET if:

  • The interaction is more like a question (i.e., it is a safe
    operation such as a query, read operation, or lookup).

Use POST if:

  • The interaction is more like an order, or
  • The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
  • The user be held accountable for the results of the interaction.

Other case when you need to use POST is when you have to send a lot of data to a server.

If length of your query strings less than 1000 than GET is for you.

bniwredyc
  • 8,649
  • 1
  • 39
  • 52
  • That is pretty much the same rule we are following as well. I wanted to ask about your last comment in regards to the size of your query string. Most of our GET actions, (I'm talking about all actions now, not just json) typically have small query strings. <100 characters. However, we do have 2 instances where we can have large query strings (sometimes up to 1500.) What are the downsides of allowing this? – Vadim Jan 14 '11 at 15:13
  • Actually I don't see any significant downsides of big query strings. It's old thing about url max langth - check out this question: http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-an-url If you can open url in your browser it can make debugging a little easier - that's all. – bniwredyc Jan 14 '11 at 17:58
1

As bniwredyc already pointed out, the general rule of thumb is to use GET only if the operation does not alter state / is repeatable etc., otherwise use POST. Thus, GET is probably appropriate in the scenario you are describing.

However, returning JSON in response to a GET request can in some cases allow someone to steal that data (Phil Haack has a nice example). So, you have to ask yourself: is the data returned and used to populate the dropdowns confidential? If so, you may want to go with a POST. If not you can safely use a GET.

Rune
  • 8,340
  • 3
  • 34
  • 47